Kerberos krb5_aname_to_localname() buffer overflow
| kerberos-krb5anametolocalname-bo (16268) |  High Risk |
Description:
Kerberos, could allow a remote attacker to execute arbitrary code, caused by multiple buffer overflows in the krb5_aname_to_localname library function when handling malformed Kerberos principal names. The principal name consists of three components: primary, instance, and realm. If the rules-based mapping functionality is enabled, a remote user must create an arbitrary principal name in the local Kerberos realm or an accessible remote realm. The attacker must then authenticate to a vulnerable service with a principal name that is listed in the mapping list to overflow a buffer and execute arbitrary code on the system that is running the vulnerable service with root privileges.
Note: Default configurations of the target service are not affected. Configurations that enable the explicit mapping or rules-based mapping functionality of the krb5_aname_to_localname are vulnerable.
Platforms Affected:
- Conectiva, Linux 10
- Conectiva, Linux 9.0
- Debian, Debian Linux 3.0
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux 10.0 AMD64
- MandrakeSoft, Mandrake Linux 10.0
- MandrakeSoft, Mandrake Linux 9.1 PPC
- MandrakeSoft, Mandrake Linux 9.1
- MandrakeSoft, Mandrake Linux 9.2 AMD64
- MandrakeSoft, Mandrake Linux 9.2
- MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 2.1
- MandrakeSoft, Mandrake Multi Network Firewall 8.2
- MIT, Kerberos 5-1.0
- MIT, Kerberos 5-1.0.4
- MIT, Kerberos 5-1.0.5
- MIT, Kerberos 5-1.0.6
- MIT, Kerberos 5-1.1
- MIT, Kerberos 5-1.1.1
- MIT, Kerberos 5-1.2
- MIT, Kerberos 5-1.2.2
- MIT, Kerberos 5-1.2.3
- MIT, Kerberos 5-1.2.4
- MIT, Kerberos 5-1.2.5
- MIT, Kerberos 5-1.2.6
- MIT, Kerberos 5-1.2.7
- MIT, Kerberos 5-1.2.8
- MIT, Kerberos 5-1.3
- MIT, Kerberos 5-1.3.1
- MIT, Kerberos 5-1.3.2
- MIT, Kerberos 5-1.3.3
- RedHat, Enterprise Linux 2.1 AW
- RedHat, Enterprise Linux 2.1 WS
- RedHat, Enterprise Linux 2.1 AS
- RedHat, Enterprise Linux 2.1 ES
- RedHat, Enterprise Linux 3 Desktop
- RedHat, Enterprise Linux 3 AS
- RedHat, Enterprise Linux 3 ES
- RedHat, Enterprise Linux 3 WS
- RedHat, Linux 3.0
- RedHat, Linux Advanced Workstation 2.1 Itanium
- Sun, Solaris 7.0
- Sun, Solaris 8
- Sun, Solaris 9
Remedy:
Upgrade to the latest version of MIT Kerberos 5 (krb5-1.3.4 or later), when it becomes available, from the MIT Kerberos Web page. See References.
For Mandrake Linux:
Upgrade to the latest krb5 package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:056-1 : krb5 for more information. See References.
Mandrake Linux 9.1: 1.2.7-1.2.91mdk or later
Mandrake Linux 9.2: 1.3-3.1.92mdk or later
Mandrake Linux Multi Network Firewall 8.2: 1.2.2-17.6.M82mdk or later
Mandrake Linux Corporate Server 2.1: 1.2.5-1.5.C21mdk or later
Mandrake Linux 10.0: 1.3-6.1.100mdk or later
For Red Hat Linux:
Upgrade to the latest krb5 package, as listed below. Refer to RHSA-2004:190-14 for more information. See References.
Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 1.2.2-27.src or later
Red Hat Enterprise Linux (v. 3), AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 1.2.7-24.x86 or later
For Debian GNU/Linux 3.0 (alias woody):
Upgrade to the latest krb5 package (1.2.4-5woody5 or later), as listed in DSA-520-1. See References.
For Gentoo Linux:
Upgrade to the latest version of mit-krb5 (1.3.3-r1 or later), as listed in GLSA 200406-21. See References.
For Conectiva Linux:
Upgrade to the latest krb5 package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:860 for more information. See References.
Conectiva Linux 9: 1.2.7-28721U90_3cl or later
Conectiva Linux 10.0: 1.3.3-62470U10_2cl or later
For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57559 for more information. See References.
SPARC Platform
Solaris 8 :112237-11 or later and 112390-09 or later
Solaris 9: 112908-16 or later
SEAM 1.0 (for Solaris 7): 112536-05 or later
x86 Platform
Solaris 8 : 112240-08 or later and 112238-10 or later
Solaris 9 : 115168-05 or later
SEAM 1.0 (for Solaris 7) :112537-05 or later
For other distributions:
Contact your vendor for upgrade or patch information.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Tue Jun 01 2004 - 15:32:42 CDT, MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname at http://archives.neohapsis.com/archives/bugtraq/2004-06/0011.html.
- CIAC Information Bulletin O-155, Kerberos Buffer Overflow Vulnerability [REVISED 23 Jun 2004] at http://www.ciac.org/ciac/bulletins/o-155.shtml.
- CIAC Information Bulletin O-155, Kerberos Buffer Overflow Vulnerability at http://www.ciac.org/ciac/bulletins/o-155.shtml.
- CIAC Information Bulletin O-212, Apple Security Update at http://www.ciac.org/ciac/bulletins/o-212.shtml.
- Conectiva Linux Security Announcement CLSA-2004:860, Multiple vulnerabilities in Kerberos 5 at http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000860.
- MIT Kerberos Web site, Kerberos: The Network Authentication Protocol at http://web.mit.edu/kerberos/.
- Sun Alert ID: 57559, Solaris/SEAM Kerberos 5 Vulnerability Due To Buffer Overflows In krb5_aname_to_localname() at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57580-1&searchclause=.
- Sun Alert ID: 57580, Solaris/SEAM Kerberos 5 Vulnerability Due To Buffer Overflows In krb5_aname_to_localname() at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57580&zone_32=category%3Asecurity.
- Sun Alert ID: 57580, Solaris/SEAM Kerberos 5 Vulnerability Due To Buffer Overflows In krb5_aname_to_localname() at http://sunsolve.sun.com/search/document.do?assetkey=1-26-57580-1&searchclause=.
- BID-10448: MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Name Buffer Overrun Vulnerabilities
- CVE-2004-0523: Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
- DSA-520: krb5 -- buffer overflows
- GLSA-200406-21: mit-krb5: Multiple buffer overflows in krb5_aname_to_localname
- MDKSA-2004:056: Updated krb5 packages fix buffer overflow vulnerabilities
- MDKSA-2004:056-1: Updated krb5 packages fix buffer overflow vulnerabilities
- RHSA-2004-236: krb5 security update
- US-CERT VU#686862: MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows
Reported:
Jun 01, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net